EP2680182A1 - Mobile device and method to monitor a baseband processor in relation to the actions on an application processor - Google Patents
Mobile device and method to monitor a baseband processor in relation to the actions on an application processor Download PDFInfo
- Publication number
- EP2680182A1 EP2680182A1 EP13167024.2A EP13167024A EP2680182A1 EP 2680182 A1 EP2680182 A1 EP 2680182A1 EP 13167024 A EP13167024 A EP 13167024A EP 2680182 A1 EP2680182 A1 EP 2680182A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- baseband
- mobile device
- component
- processor
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/125—Protection against power exhaustion attacks
Definitions
- the invention disclosed herein describes devices and methods to mitigate and prevent over-the-air attacks against the baseband processor of mobile devices by means of monitoring the baseband processor's behavior, correlating this behavior with the intentions of the user (as expressed by the behavior of the application processor), and taking appropriate countermeasures against attacks.
- Modem mobile devices typically, mobile phones and tablet computers with cellular network connectivity
- the so called application CPU Central Processing Unit
- the so called baseband CPU that runs all the necessary software to interface with the mobile network
- GSM Global System for Mobile Communications 3G
- CDMA Code Division Multiple Access
- CDMA2000 Code Division Multiple Access 2000
- UMTS Universal Mobile Telecommunications System or LTE (Long Term Evolution).
- a mobile application processor is a system on a chip designed to support applications running in a mobile operating system environment.
- the system on a chip can be physically independent from the baseband CPU as separate chip or can be implemented physically integrated into one chip together with the baseband CPU.
- a mobile application processor provides a self-contained operating environment that delivers all system capabilities needed to support a device's applications, including memory management, graphics processing, and multimedia decoding.
- Mobile application processors may be independent from other specialized processors in the same mobile device, such as a phone's baseband (wireless communications) processor.
- OEM original equipment manufacturer
- the Qualcomm Qualcomm Snapdragon mobile application processor is contained in many smart phones that use Qualcomm to run the Android operating system and Android applications. In this way, every phone manufacturer need not develop its own mobile application processor (atthough they can); this approach reduces bill-of-materials cost and makes it possible to develop low-cost "smart" consumer electronics.
- a wide variety of mobile devices contain mobile application processors, including feature phones, smartphones, tablets, eReaders, netbooks, automotive navigation devices, and gaming consoles.
- a baseband processor also known as baseband radio processor, BP, or BBP
- BP baseband radio processor
- BBP baseband radio processor
- a baseband processor is a device (a chip or part of a chip) in a network interface that manages all the radio functions (all functions that require an antenna). This may or may not include WiFi and/or Bluetooth. It typically uses its own RAM and firmware. This RAM can also be shared with the application processor.
- the reasons for separating the baseband processor from the application CPU are:
- Baseband processors typically run a RTOS written in firmware: e.g. Nucleus RTOS (iPhone 3G/3GS/iPad), ENEA's OSE, VRTX, ThreadX (iPhone 4)
- the BP and the AP can communicate and exchange information.
- One possibility is to use shared memory, which is controlled by a memory controller or a memory management unit.
- memory controller and memory management are used to identify the same unit which has the functionality of a memory controller, of a memory management unit, or of both.
- the memory controller controls regions of the memory for the AP and the BP and in some areas concurrent access is possible by both the AP and the BP.
- a bus system is possible over which the AP and the BP exchange information.
- private memory sections with private memory controllers and a mutual memory controller for a shared area are possible solutions.
- the memory controller is a digital circuit which manages the flow of data going to and from the main memory. It can be a separate chip or integrated into another chip, such as on the die of a microprocessor. This is also called a Memory Chip Controller (MCC). Memory controllers contain the logic necessary to read and write to RAM or DRAM, and to "refresh" the DRAM by sending current through the entire device. Without constant refreshes, DRAM will lose the data written to it as the capacitors leak their charge within a fraction of a second.
- MCC Memory Chip Controller
- Reading and writing to DRAM is performed by selecting the row and column data addresses of the DRAM as the inputs to the multiplexer circuit, where the demultiplexer on the DRAM uses the converted inputs to select the correct memory location and return the data, which is then passed back through a multiplexer to consolidate the data in order to reduce the required bus width for the operation.
- the memory controller might be necessary to control the concurrent access to the RAM by different component of the device and the CPUs of the device.
- the security situation for software running on the application CPU largely follows the methods and procedures developed for desktop computers (e.g. running anti-virus software, firewalls, restrict code execution to signed applications, etc.), the security of the baseband processor has been mostly ignored so far. This is despite of the fact that the baseband CPU is a complex hardware component in an exposed position: The baseband CPU is connected on one side to the mobile network(s) and on the other side to the application CPU. All data transmissions, phone calls, SMS messages, etc. from and to the mobile networks as requested by software running on the application CPU pass through the baseband CPU.
- the attacker can for example cause the victim's mobile device to accept incoming calls without ringing or any user interaction (thus allowing the attacker to eavesdrop onto conversations held in the vicinity of the victim's phone), or let malicious software run on the baseband CPU to cause unintended behavior like monitoring of ongoing communications or exfiltration of critical data.
- the security quality of the software running on today's baseband CPUs is on average rather low, as large parts of the necessary protocol stacks haven been written back in the 1990s, before secure programming guidelines were known or observed. Fixing or patching baseband software for security reasons is very seldom done by the device manufacturers. There is a multitude of reasons for this problem: The baseband chipsets are developed and manufactured by a very small group of specialized companies which typically supply both the chips and the software/firmware running on them. The baseband software is usually customized to the needs of the specific phone either by the baseband processor's manufacturer, the phone's manufacturer, or both. These relationships, interdependencies, and the question of code ownership are often complicated.
- the resulting situation is detrimental to the security and protection of the mobile device's user against the types of over-the-air-attack described above. Even when new attacks are published and become widespread, the standard simple defense strategy of applying a software update may not be available.
- the invention disclosed herein therefore describes the missing piece in the security armor: means and methods to mitigate and prevent these types of attacks.
- the invention intends to provide a solution for the missing security on the baseband processor.
- the attack In order to defend against an attack on the baseband CPU, the attack first needs to be detected.
- the baseband firmware itself typically contains only insufficient or no provisions for detection of attacks, a new method is required.
- One core idea behind the invention is to monitor the behavior of the baseband CPU, as reflected in various extermally observable signs, and correlate this behavior with information about the actual intended activities of the mobile device's user.
- the invention consists of several components.
- the data collection, aggregation and analysis of detected suspicious events from multiple mobile devices can be used by a centralized reporter monitoring component to distribute warnings to the users of either all or only a selected subset of mobile devices connected to the respective reporter component, to adjust the behavior of the evaluator mechanism of mobile devices connected to the respective reporter, and/or to initiate more extensive logging.
- a centralized reporter monitoring component to distribute warnings to the users of either all or only a selected subset of mobile devices connected to the respective reporter component, to adjust the behavior of the evaluator mechanism of mobile devices connected to the respective reporter, and/or to initiate more extensive logging. This is done by centralized server structure which is connected to the devices over the intemet.
- the initiation of countermeasures designed to ward off the suspicious/illegitimate baseband activities comprises one or more of the following: resetting the baseband processor, resetting the phone, forcing all connections to be dropped. It has to be noted that this list is not limited to the listed options.
- the monitoring of communication interfaces or memory areas shared between application processor and baseband processor for patterns associated with exploit attempts comprises one or more of the following:
- the collecting of information obtained from the baseband processor's debugging output comprises one or more of the following:
- the evaluator component runs as an application on the application processor.
- the evaluator component flags the absence of standard A5/1, A5/2, or A5/3 link encryption on GSM or 3G/UMTS/W-CDMA mobile networks which leads the defense component to issue a warning to the mobile device's user that link encryption has been deactivated.
- the evaluator component flags the presence of a rogue base station that does not belong to the legitimate mobile network and the defense component wams the mobile device's user that a rogue base station (a so-called "IMSI catcher") has been detected, and/or the 'defense' component shuts down the baseband processor in order to prevent exploitation.
- IMSI catcher a so-called "IMSI catcher”
- An IMSI catcher is essentially a false mobile tower acting between the target mobile phone(s) and the service provider's real towers. As such it is considered a Man In the Middle (MITM) attack. It is used as an eavesdropping device used for interception and tracking of cellular phones and usually is undetectable for the users of mobile phones.
- VTS virtual base transceiver station
- IMSI International Mobile Subscriber Identity
- the evaluator component categorizes activities on the baseband processor in different classes ranging from normal/inconspicious to highly suspicious,
- the evaluator is plotting all the events in a diagram that shows baseband activity and suspectedness of baseband activities over time and displays this diagram on either the mobile device's screen or an external display device.
- the evaluator component compiles the information on suspectedness of baseband activities over time in one single integrated graphical representation of the overall threat level in respect to the mobile device's baseband processor or in the form of a 'threat level thermometer' that is displayed on either the mobile device's screen or an external display device.
- the evaluator component records baseband activity in a log file that can subsequently be read and combined with log files from other mobile devices by a centralized reporter component in order to arrive at an overview of the aggregated threat level to which multiple mobile devices are subject to.
- the evaluator component transmits data on baseband activity and network parameters to a remote reporter entity which performs additional location-based analytics to determine the locations of hostile networks.
- the reporter remote analytics entity sends out warnings and configuration changes to either all or only a selected subset of mobile devices in respect to detected hostile network activity (e.g. based on the mobile devices' location and the location of areas where over-the-air attacks heap up).
- the reporter remote analytics entity sends out warnings about hostile network activity to dedicated connected devices which are mounted as stationary sensors in sensitive areas for the primary purpose of informing users who do not have the baseband monitor component installed on their mobile devices about ongoing suspicious/illegitimate activities.
- mobile devices are connected to the centralized reporter monitoring component via a direct wireless data connection, or via a synchronization mechanism that is activated whenever the phone is connected to a desktop computer to synchronize data with it.
- the central reporter component can adjust the behavior of the evaluator mechanism of mobile devices connected to the respective reporter component (e.g. by lowering the suspiciousness level before countermeasures are initiated, or initiating more extensive logging).
- the defense component runs as an application on the application processor.
- the baseband monitor component detects an ongoing call by monitoring the baseband processor, while at the same time, the application monitor component reports that the telephony software running on the application CPU has not initiated or accepted a call, then the evaluator mechanism will determine that the likelihood of malicious baseband behavior is high, and that this is very likely the result of an attack.
- the invention provides a method to analyze the security of a mobile terminal, comprising an application processor (AP), a baseband processor (BP), the AP and the BP exchange information.
- the method comprises the steps:
- the information is stored in a possible embodiment in a database or container which can be accessed by a correlation engine to find correlations between at least two pieces of information above that indicate an unsecure situation, and triggering an alarm.
- All these pieces of information are used to find a correlation between the information of the baseband-monitor application and the information of the application-monitor-application, that indicate an unsecure situation, and triggering an alarm.
- a correlation engine defines and maintains pattern of secure and unsecure states is then matched against the currently present data by mathematical correlation methods, including but not limited to neural networks and statistical deviation analysis.
- power consumption is analyzed by mathematical subtraction of the area under the curve for battery discharge and if the area of the expected discharge curve as computed on the base of application and operating system power usage deviates significantly from the actually measured discharge curve, the resulting area under the curve is large and an IP-session or phone call is ongoing over the BP an alarm is triggered.
- a user setting is provided allowing the configuration of the sensitivity of the alarm and attack countermeasure routines, so the user is not overwhelmed by false alarms.
- the mobile device is reset or all connections are forced to be dropped.
- a further part of the invention is Mobile terminal comprising an application processor (AP), a baseband processor (BP), the AP and the BP exchange information, comprising a Baseband- monitor application and an Application-monitor application running on the AP or BP, the monitor applications are configured to collect one or more of the following information:
- AP application processor
- BP baseband processor
- the monitor applications are configured to collect one or more of the following information:
- a correlation application being configured to find correlations between at least two information above that indicate an unsecure situation, and triggering an alarm.
- the correlation engine is configured to define and maintain pattern of secure and unsecure states, which are then matched against the currently present data by mathematical correlation methods, including but not limited to neural networks and statistical deviation analysis.
- a Power consumption is analyzed by mathematical subtraction of the area under the curve for battery discharge and If the area of the expected discharge curve as computed on the base of application and operating system power usage deviates significantly from the actually measured discharge curve, the resulting area under the curve is large and a IP-session or phone calls is ongoing over the BP an alarm is triggred.
- the correlation engine is configured to provide a user setting allowing the configuration of the sensitivity of the alarm and attack countermeasure routines, so the user is not overwhelmed by false alarms.
- the mobile terminal wherein in case of the alarm the BP is reset, the mobile device is reset or all connections are forced to be dropped.
- the Mobile device configured to detect an attack on a baseband processor comprising a baseband processor and an application processor, which may or may not be integrated in a single chip, comprising :
- the components mentioned above can be software or hardware, in case of software they run on the application processors or on the baseband processor or partially on both. Also the applications can run on the BP or AP, or partially on the AP or BP, can be implemented in hardware or software or a combination thereof.
- the invention consists in a possible configuration of the following components:
- Baseband-Monitor that observes the behavior of the baseband. It uses all means available to determine the current behavior of the Baseband Processor (BP).
- the Baseband-Monitor is an application which preferable runs as application on the application processor (AP). It is also possible that parts of the Baseband-Monitor runs as application on the BP.
- Baseband-Monitor in the preferred embodiment uses the interfaces and functions the of the BP, which are provide by in the standard configuration. The information and the interfaces available differs depending on capabilities of the baseband processor and interfaces made available on a specific phone model/mobile terminal and includes but is not limited to:
- the Baseband-Monitor provides a rich set of information on the current activities of the baseband.
- the level of detail depends on the availability of data sources in the specific phone model. Not all data sources are usually available on all phone models.
- the other component of the invention in the possible configuration of two components is a monitoring and alerting component that observes the parameters, time and duration of legitimate software and user activities on the application CPU that cause normal Baseband activities intended by the user. Under normal circumstances, most Baseband activities with some known exceptions are correlated with user interaction, like making a call or loading a web page, or known-to-be-good automated application activity, like checking e-mail.
- Application use of baseband lives is monitored on the AP by various means like hooking or replacing the respective "provider" functions in the operating system that manage the communication with the baseband. This analyses can also be performed by checking the network traffic for example by sniffing the ports and the IP-packages, or by using proxies which are located between the applications and the baseband.
- the communication between the AP and BP can be monitored by reading the shared memory which is normally used for an information exchange between the two units.
- the activity for example the processor using of the applications can be monitored to detect if the application is very active or suspended. So the information of the process scheduler in the operating system can provide information.
- the event table of the operating system can be check and verified. In the event table the applications running on the AP give a feedback of the actions and errors and warnings.
- a monitoring on the AP can be given by tracking the use of a user interface like a keyboard or a touch screen. For example if a SMS has been send by an application without a detection of a user input a security problem can be given.
- the same situation can be determined if the mobile terminal is in a standby mode and a SMS is sent or phone call is performed.
- the monitoring application on the AP collects this information and stores the information over a defined time period in a database.
- the storing and collecting of the information is done in defined time intervals or driven by events like interrupts.
- Each collected information has in a possible implementation a time stamp which allows finding a time correlation.
- the information can be categorized which allows the implementation of general concepts and rules on the categories.
- the mechanism then correlates the data from the Baseband monitoring (described above) and the data from the application CPU monitoring to distinguish between legitimate and suspicious Baseband activities. Suspicious are activities that cause transmissions or resource consumption on the Baseband but are not correlated to legitimate user activities.
- One very simple example is that if the Baseband is detected by the monitoring component to have an active call ongoing while no phone call is made or accepted by the telephony software, very likely this is the result of an attack.
- the correlation engine of the invention builds a pattern of "normality" that is then matched against the currently present data by mathematical correlation methods, including but not limited to neural networks and statistical deviation analysis etc.
- a simple example is the analysis of the battery discharge curve while taking into account the power usage of applications and sensors as provided by the operating system or seperate readout of power consumption data from respective phone sensors. If the actual discharge curve deviates from the expected precalculated discharge curve, malicious baseband activitiy is suspected.
- These statistical concepts are well known so that a further discussion can be omitted.
- logical dependencies can be expressed by definable expression, using conditional expression and logical conjunctions etc..
- the detection of ongoing suspicious baseband activity can rely on one or a combination of data sources on Baseband and application CPU. Specific user usage patterns are taken into account by an adaption mechanism built into the correlation engine.
- a user setting is provided to allow for a configuration of the sensitivity of the alarm and attack countermeasure routines, so the user is not overwhelmed by false alarms.
- the battery current and voltage measurement is used to check for a deviation from the expected power consumption.
- An ongoing attack that would e.g. use the baseband to transmit room audio to the attacker by means of a surreptitious call or periodic data transmissions would cause a deviation between power consumption actually measured at the battery and the expected consumption computed from the phones power profile.
- countermeasures can be taken for instance but not limited to resetting the baseband, resetting the phone, forcing all connections to be dropped and / or alerting the phones user.
Abstract
a) acquiring by a Basband- monitor application and an Application-monitor application running on the mobile device one or more of the following information:
-Information from the BP about opening and closing of transmission channels to and from a base station;
-Infomation from the baseband CPU about protocol transmissions to and from the station;
-Information from the baseband CPU about the volume of data transmission;
- Measures response times to standard service requests from application CPU(AP) to baseband CPU (BP);
- Information of the power consumption of phone components;
- Information of the current and voltage delivered by the battery to the phone;
-Configuration of the the audio path , to determine which component or application is using the micro-phone;
- Monitor the running applications on the AP;
- Monitor the status of the running applications on the AP;
Monitor time or duration of applications running on the AP;
- Monitor the input or output of the applications running on the AP;
- Monitor the input of a user to a User-Interface.
Description
- The invention disclosed herein describes devices and methods to mitigate and prevent over-the-air attacks against the baseband processor of mobile devices by means of monitoring the baseband processor's behavior, correlating this behavior with the intentions of the user (as expressed by the behavior of the application processor), and taking appropriate countermeasures against attacks.
- Modem mobile devices (typically, mobile phones and tablet computers with cellular network connectivity) consist of at least two separate processors: The so called application CPU (Central Processing Unit), which runs the operating system, user interface and applications, and the so-called baseband CPU that runs all the necessary software to interface with the mobile network (e.g. GSM Global System for Mobile Communications, 3G, CDMA (Code Division Multiple Access), CDMA2000, UMTS Universal Mobile Telecommunications System, or LTE (Long Term Evolution).
- A mobile application processor is a system on a chip designed to support applications running in a mobile operating system environment. The system on a chip can be physically independent from the baseband CPU as separate chip or can be implemented physically integrated into one chip together with the baseband CPU.
- A mobile application processor provides a self-contained operating environment that delivers all system capabilities needed to support a device's applications, including memory management, graphics processing, and multimedia decoding.
- Mobile application processors may be independent from other specialized processors in the same mobile device, such as a phone's baseband (wireless communications) processor.
- Some vendors manufacture their own mobile application processors. Other vendors purchase their mobile application processors, using them as original equipment manufacturer (OEM) components. For example, the Qualcomm Snapdragon mobile application processor is contained in many smart phones that use Snapdragon to run the Android operating system and Android applications. In this way, every phone manufacturer need not develop its own mobile application processor (atthough they can); this approach reduces bill-of-materials cost and makes it possible to develop low-cost "smart" consumer electronics.
- A wide variety of mobile devices contain mobile application processors, including feature phones, smartphones, tablets, eReaders, netbooks, automotive navigation devices, and gaming consoles.
- A baseband processor (also known as baseband radio processor, BP, or BBP) is a device (a chip or part of a chip) in a network interface that manages all the radio functions (all functions that require an antenna). This may or may not include WiFi and/or Bluetooth. It typically uses its own RAM and firmware. This RAM can also be shared with the application processor.
- The reasons for separating the baseband processor from the application CPU (known as the AP or Application Processor) are:
- 1. radio performance: radio control functions (signal modulation, encoding, radio frequency shifting, etc.) are highly timing dependant, and require a realtime OS
- 2. legal: some authorities (e.g. the U.S. Federal Communications Commission (FCC)) require that the entire software stack running on a device which communicates with the cellular network must be certified. Separating the BP into a different component allows reusing them without having to certify the full AP.
- 3. radio reliability: Separating the BP into a different component ensures proper radio operation while allowing application and OS changes.
- Baseband processors typically run a RTOS written in firmware: e.g. Nucleus RTOS (iPhone 3G/3GS/iPad), ENEA's OSE, VRTX, ThreadX (iPhone 4)
- Significant baseband manufacturers include MediaTek, Broadcom, lcera, Intel Mobile Communications- former infineon wireless division, Qualcomm, ST-Ericsson.
- The BP and the AP can communicate and exchange information. One possibility is to use shared memory, which is controlled by a memory controller or a memory management unit. In this context the terms memory controller and memory management are used to identify the same unit which has the functionality of a memory controller, of a memory management unit, or of both. The memory controller controls regions of the memory for the AP and the BP and in some areas concurrent access is possible by both the AP and the BP. Also a bus system is possible over which the AP and the BP exchange information. Also private memory sections with private memory controllers and a mutual memory controller for a shared area are possible solutions. There is also a certain exchange of commandos between BP and AP, for example to initiate a call from an application running on the AP, or to start an application when a call is detected by the BP. The memory controller is a digital circuit which manages the flow of data going to and from the main memory. It can be a separate chip or integrated into another chip, such as on the die of a microprocessor. This is also called a Memory Chip Controller (MCC). Memory controllers contain the logic necessary to read and write to RAM or DRAM, and to "refresh" the DRAM by sending current through the entire device. Without constant refreshes, DRAM will lose the data written to it as the capacitors leak their charge within a fraction of a second.
Reading and writing to DRAM is performed by selecting the row and column data addresses of the DRAM as the inputs to the multiplexer circuit, where the demultiplexer on the DRAM uses the converted inputs to select the correct memory location and return the data, which is then passed back through a multiplexer to consolidate the data in order to reduce the required bus width for the operation. Also the memory controller might be necessary to control the concurrent access to the RAM by different component of the device and the CPUs of the device. - While the security situation for software running on the application CPU largely follows the methods and procedures developed for desktop computers (e.g. running anti-virus software, firewalls, restrict code execution to signed applications, etc.), the security of the baseband processor has been mostly ignored so far. This is despite of the fact that the baseband CPU is a complex hardware component in an exposed position: The baseband CPU is connected on one side to the mobile network(s) and on the other side to the application CPU. All data transmissions, phone calls, SMS messages, etc. from and to the mobile networks as requested by software running on the application CPU pass through the baseband CPU.
- With increasing availability of private GSM and 3G base stations, a so far largely neglected class of attacks against the security and integrity of a mobile device becomes feasible and, consequently, more widespread. This class of attacks is characterized by forcing or "seducing" the victim's mobile device to camp on a base station that is under the control of the attacker. The attacker then uses manipulated transmissions to trigger security vulnerabilities on the victim's mobile device (e.g. buffer overruns, memory corruption, stack overflows etc.) and cause the victim's mobile device to behave in ways favorable to the attacker. The attacker can for example cause the victim's mobile device to accept incoming calls without ringing or any user interaction (thus allowing the attacker to eavesdrop onto conversations held in the vicinity of the victim's phone), or let malicious software run on the baseband CPU to cause unintended behavior like monitoring of ongoing communications or exfiltration of critical data.
- The security quality of the software running on today's baseband CPUs is on average rather low, as large parts of the necessary protocol stacks haven been written back in the 1990s, before secure programming guidelines were known or observed. Fixing or patching baseband software for security reasons is very seldom done by the device manufacturers. There is a multitude of reasons for this problem: The baseband chipsets are developed and manufactured by a very small group of specialized companies which typically supply both the chips and the software/firmware running on them. The baseband software is usually customized to the needs of the specific phone either by the baseband processor's manufacturer, the phone's manufacturer, or both. These relationships, interdependencies, and the question of code ownership are often complicated. The result is a situation where baseband firmware is typically only updated when there are problems with battery lifetime or data throughput. Building new baseband firmware is a process that might also involve the need to obtain new regulatory approvals from bodies like the Federal Communications Commission (FCC), which is a costly and time-consuming, such that the process may not be completed during the market life cycle of the mobile device in question.
- The resulting situation is detrimental to the security and protection of the mobile device's user against the types of over-the-air-attack described above. Even when new attacks are published and become widespread, the standard simple defense strategy of applying a software update may not be available. The invention disclosed herein therefore describes the missing piece in the security armor: means and methods to mitigate and prevent these types of attacks.
- The invention intends to provide a solution for the missing security on the baseband processor.
- In order to defend against an attack on the baseband CPU, the attack first needs to be detected. As the baseband firmware itself typically contains only insufficient or no provisions for detection of attacks, a new method is required. One core idea behind the invention is to monitor the behavior of the baseband CPU, as reflected in various extermally observable signs, and correlate this behavior with information about the actual intended activities of the mobile device's user. The invention consists of several components.
- Method for detecting an attack on the baseband processor of a mobile device which contains a baseband processor and an application processor, which may or may not be integrated in a single chip, comprising the steps:
- a) monitoring, by dedicated baseband monitor software (can also be a hardware component), the behavior of the baseband processor by using features available on the respective mobile device,
- b) monitoring, by a dedicated application monitor component (which can be implemented in either software or hardware), the behavior of the application processor by keeping a record of the parameters, execution time, and execution duration of legitimate software and user activities on the application processor that cause normal baseband activities as intended by the user;
- c) correlating by an evaluator component (which can be implemented in either software or hardware) the baseband processor behavior with application processor behavior in order to distinguish between legitimate and suspicious/illegitimate baseband activities,
- d) initiation of countermeasures by a defense component (which can be implemented in either software or hardware) designed to ward off the suspicious/illegitimate baseband activities.
- In a possible embodiment the data collection, aggregation and analysis of detected suspicious events from multiple mobile devices can be used by a centralized reporter monitoring component to distribute warnings to the users of either all or only a selected subset of mobile devices connected to the respective reporter component, to adjust the behavior of the evaluator mechanism of mobile devices connected to the respective reporter, and/or to initiate more extensive logging. This is done by centralized server structure which is connected to the devices over the intemet.
- In a possible embodiment the initiation of countermeasures designed to ward off the suspicious/illegitimate baseband activities comprises one or more of the following: resetting the baseband processor, resetting the phone, forcing all connections to be dropped. It has to be noted that this list is not limited to the listed options.
- In a possible embodiment the monitoring by the baseband monitor comprises one or more of the following:
- collecting information on power consumption of individual hardware components of the mobile device,
- collecting information on audio path configuration,
- collecting information on the response time to normal service requests from the application processor to the baseband processor;
- monitoring of communication interfaces or memory areas shared between application processor and baseband processor for atypical communication patterns,
- monitoring of communication interfaces and memory areas shared between application processor and baseband for patterns associated with exploit attempts,
- collecting information obtained from the baseband processor's debugging output. It has to be noted that this list is not limited to the listed options.
- In a possible embodiment the monitoring of communication interfaces or memory areas shared between application processor and baseband processor for patterns associated with exploit attempts, comprises one or more of the following:
- Monitoring malformated messages or data structures or very large data blocks;
- Monitoring the usage of procedures, functions, features or messages not seen in normal operations;
- Monitoring attempts to access memory areas not consistent with normal operations.
- In a possible embodiment the collecting of information obtained from the baseband processor's debugging output comprises one or more of the following:
- timing and volume of voice call setup attempts,
- timing and volume of data transmission,
- timing and volume of SMS message transmission,
- timing and sequence of establishment of traffic channels.
- In a possible embodiment the evaluator component runs as an application on the application processor.
- In a possible embodiment the evaluator component flags the absence of standard A5/1, A5/2, or A5/3 link encryption on GSM or 3G/UMTS/W-CDMA mobile networks which leads the defense component to issue a warning to the mobile device's user that link encryption has been deactivated.
- In a possible embodiment the evaluator component flags the presence of a rogue base station that does not belong to the legitimate mobile network and the defense component wams the mobile device's user that a rogue base station (a so-called "IMSI catcher") has been detected, and/or the 'defense' component shuts down the baseband processor in order to prevent exploitation.
- An IMSI catcher is essentially a false mobile tower acting between the target mobile phone(s) and the service provider's real towers. As such it is considered a Man In the Middle (MITM) attack. It is used as an eavesdropping device used for interception and tracking of cellular phones and usually is undetectable for the users of mobile phones. Such a virtual base transceiver station (VBTS) is a device for identifying the International Mobile Subscriber Identity (IMSI) of a nearby GSM mobile phone and intercepting its calls and messages.
- In a possible embodiment the evaluator component flags the presence of a rogue base station that does not belong to the legitimate mobile network using one or more of the following pieces of information:
- cell identification, distance, and signal strength,
- signal growth/attenuation,
- forced network change from 3G to 2G network,
- unusual changes in the list of neighboring cells,
- unusual configuration parameters of the mobile base station designed to make it appear more 'attractive' to the targeted mobile device(s),
- network parameters not consistent with the mobile device's location and/or the currently selected mobile network operator
- In a possible embodiment the evaluator component categorizes activities on the baseband processor in different classes ranging from normal/inconspicious to highly suspicious,
- In a possible embodiment the evaluator is plotting all the events in a diagram that shows baseband activity and suspectedness of baseband activities over time and displays this diagram on either the mobile device's screen or an external display device.
- In a possible embodiment the evaluator component compiles the information on suspectedness of baseband activities over time in one single integrated graphical representation of the overall threat level in respect to the mobile device's baseband processor or in the form of a 'threat level thermometer' that is displayed on either the mobile device's screen or an external display device.
- In a possible embodiment the evaluator component records baseband activity in a log file that can subsequently be read and combined with log files from other mobile devices by a centralized reporter component in order to arrive at an overview of the aggregated threat level to which multiple mobile devices are subject to.
- In a possible embodiment the evaluator component transmits data on baseband activity and network parameters to a remote reporter entity which performs additional location-based analytics to determine the locations of hostile networks.
- In a possible embodiment the reporter remote analytics entity sends out warnings and configuration changes to either all or only a selected subset of mobile devices in respect to detected hostile network activity (e.g. based on the mobile devices' location and the location of areas where over-the-air attacks heap up).
- In a possible embodiment the reporter remote analytics entity sends out warnings about hostile network activity to dedicated connected devices which are mounted as stationary sensors in sensitive areas for the primary purpose of informing users who do not have the baseband monitor component installed on their mobile devices about ongoing suspicious/illegitimate activities.
- In a possible embodiment mobile devices are connected to the centralized reporter monitoring component via a direct wireless data connection, or via a synchronization mechanism that is activated whenever the phone is connected to a desktop computer to synchronize data with it.
- In a possible embodiment the central reporter component can adjust the behavior of the evaluator mechanism of mobile devices connected to the respective reporter component (e.g. by lowering the suspiciousness level before countermeasures are initiated, or initiating more extensive logging).
- In a possible embodiment the defense component runs as an application on the application processor.
- In the following an example will be discussed. If the baseband monitor component detects an ongoing call by monitoring the baseband processor, while at the same time, the application monitor component reports that the telephony software running on the application CPU has not initiated or accepted a call, then the evaluator mechanism will determine that the likelihood of malicious baseband behavior is high, and that this is very likely the result of an attack.
- In an alternative embodiment the invention provides a method to analyze the security of a mobile terminal, comprising an application processor (AP), a baseband processor (BP), the AP and the BP exchange information. The method comprises the steps:
- a) acquiring by a Baseband-monitor application and an Application-monitor application running on the mobile device one or more of the following information:
- Information from the BP about opening and closing of transmission channels to and from a base station;
- Information from the baseband CPU about protocol transmissions to and from the base station;
- Information from the baseband CPU about the volume of data transmission;
- Measurement data of response times to standard service requests from application CPU(AP) to baseband CPU (BP);
- Information on the power consumption of phone components;
- Information on the current voltage delivered by the battery to the phone;
- Configuration of the audio path, to determine which component or application is using the micro-phone ;
- Monitor the running applications on the AP;
- Monitor the status of the running applications on the AP;
- Monitor time or duration of applications running on the AP;
- Monitor the input or output of the applications running on the AP;
- Monitor the input of a user to a User-Interfaces.
- The information is stored in a possible embodiment in a database or container which can be accessed by a correlation engine to find correlations between at least two pieces of information above that indicate an unsecure situation, and triggering an alarm.
- In a possible embodiment the Baseband-monitor application acquires one or more of the following information:
- Information from the BP about opening and closing of transmission channels to and from a base station;
- Information from the baseband CPU about protocol transmissions to and from the base station;
- Information from the baseband CPU about the volume of data transmission;
- Measures response times to standard service requests from application CPU(AP) to baseband CPU (BP). Furthermore the application monitor application acquires one or more of the following information :
- Information of the power consumption of phone components;
- Information of the current and voltage delivered by the battery to the phone;
- Monitors the audio path configuration, by determining which component or application is using the micro-phone;
- Monitor the running applications on the AP;
- Monitor the status of the running applications on the AP;
- Monitor time or duration of applications running on the AP;
- Monitor the input or output of the applications running on the AP;
- Monitor the input of a user to a User-Interface;
- All these pieces of information are used to find a correlation between the information of the baseband-monitor application and the information of the application-monitor-application, that indicate an unsecure situation, and triggering an alarm.
- In a possible embodiment a correlation is defined being likely secure for one or more of the following:
- if the user inputs information to a User-Interface and an application is running which is defined as the receiver of the information inputted, and network connection on the BP is opened after the inputted information;
- if a web-browser application is started or activated and user input is detected which is directed to the web-browser application and a IP-Session is opened by the BP;
- if an email-application is running and is checking for new emails and an IP-Session is opened by the BP;
- if a phone call application is started, user input is detected, and a voice session is opened by the BP;
- if a phone call application is started and has opened a voice connection over the BP a speaker path to the phone call application is allowed;
- if an instant messaging communication is initiated or received by the user and an IP-Session is opened by the BP;
- if software or system updates are initiated by the user or authorized system services, and an IP-Session is opened by the BP.
- In a possible embodiment a correlation is defined being likely unsecure for one or more of the following:
- if a phone call is ongoing while no phone call is made or accepted by the phone call application or telephony application;
- if the microphone is active and a phone call is ongoing over the BP while no phone call is made accepted by the phone call application or telephony application;
- if the microphone is assigned to an application that is not allowed to have access to the microphone and which transfers data over the BP as a phone call or a IP-Session;
- if the mobile device is an idle or sleep mode, while large amount of data from the storage device of the phone is transferred over a IP-session opened by the BP;
- if the actual power consumption is larger than the displayed power consumption and a IP-session is opened by the BP to transfer data;
- if the actual power differs from the expected power consumption and a IP-session or phone calls is ongoing over the BP.
- In a possible embodiment a correlation engine defines and maintains pattern of secure and unsecure states is then matched against the currently present data by mathematical correlation methods, including but not limited to neural networks and statistical deviation analysis.
- In a possible embodiment power consumption is analyzed by mathematical subtraction of the area under the curve for battery discharge and if the area of the expected discharge curve as computed on the base of application and operating system power usage deviates significantly from the actually measured discharge curve, the resulting area under the curve is large and an IP-session or phone call is ongoing over the BP an alarm is triggered.
- In a possible embodiment a user setting is provided allowing the configuration of the sensitivity of the alarm and attack countermeasure routines, so the user is not overwhelmed by false alarms.
- In a possible embodiment in case of the alarm the BP is reset, the mobile device is reset or all connections are forced to be dropped.
- A further part of the invention is Mobile terminal comprising an application processor (AP), a baseband processor (BP), the AP and the BP exchange information, comprising a Baseband- monitor application and an Application-monitor application running on the AP or BP, the monitor applications are configured to collect one or more of the following information:
- Information from the BP about opening and closing of transmission channels to and from a base station;
- Information from the baseband CPU about protocol transmissions to and from the base station;
- Information from the baseband CPU about the volume of data transmission;
- Measures response times to standard service requests from application CPU(AP) to baseband CPU (BP);
- Information of the power consumption of phone components;
- Information of the current and voltage delivered by the battery to the phone;
- Configuration of the audio path, to determine which component or application is using the micro-phone;
- Monitor the running applications on the AP;
- Monitor the status of the running applications on the AP;
- Monitor time or duration of applications running on the AP;
- Monitor the input or output of the applications running on the AP;
- Monitor the input of a user to a User-Interfaces;
- further comprising a correlation application being configured to find correlations between at least two information above that indicate an unsecure situation, and triggering an alarm.
- In a possible embodiment of the mobile terminal the Baseband- monitor application acquires one or more of the following information:
- Information from the BP about opening and closing of transmission channels to and from a base station;
- Information from the baseband CPU about protocol transmissions to and from the base station;
- Information from the baseband CPU about the volume of data transmission;
- Measures response times to standard service requests from application CPU(AP) to baseband CPU (BP); and wherein the application monitor application acquires one or more of the following information:
- Information of the power consumption of phone components;
- Information of the current and voltage delivered by the battery to the phone;
- Monitors the audio path configuration, by determining which component or application is using the micro-phone;
- Monitor the running applications on the AP;
- Monitor the status of the running applications on the AP;
- Monitor time or duration of applications running on the AP;
- Monitor the input or output of the applications running on the AP;
- Monitor the input of a user to a User-Interface;
- In a possible embodiment of the mobile terminal a correlation is defined being likely secure for one or more of the following:
- if the user inputs information to a User-Interface and an application is running which is defined as the receiver of the information inputed, and network connection on the BP is opened after the inputted information;
- if a web-browser application is started or activated and user input is detected which is directed to the web-browser application and a IP-Session is opened by the BP;
- if a email-application is running and is checking for new emails and an IP-Session is opened by the BP;
- if a phone call application is started user input is detected and a voice session is opened by the BP;
- if a phone call application is started and has opened a voice connection over the BP an speaker path to the phone call application is allowed;
- if an instant messaging communication is initiated or received by the user and an IP-Session is opened by the BP;
- if software or system updates are initiated by the user or authorized system services, and an IP-Session is opened by the BP.
- In a possible embodiment of the mobile terminal a correlation is defined being likely unsecure for one or more of the following:
- if a phone call is ongoing while no phone call is made or accepted by the phone call application or telephony application;
- if the microphone is active and a phone call is ongoing over the BP while no phone call is made accepted by the phone call application or telephony application;
- if the microphone is assigned to an application that is not allowed to have access to the microphone and which transfers data over the BP as a phone call or a IP-Session;
- if the mobile device is an idle or sleep mode, while large amount of data from the storage device of the phone is transferred over a IP-session opened by the BP;
- if the actual power consumption is larger than the displayed power consumption and a IP-session is opened by the BP to transfer data;
- if the actual power differs from the expected power consumption and a IP-session or phone calls is ongoing over the BP:
- In a possible embodiment of the mobile terminal the correlation engine is configured to define and maintain pattern of secure and unsecure states, which are then matched against the currently present data by mathematical correlation methods, including but not limited to neural networks and statistical deviation analysis.
- In a possible embodiment of the mobile terminal a Power consumption is analyzed by mathematical subtraction of the area under the curve for battery discharge and If the area of the expected discharge curve as computed on the base of application and operating system power usage deviates significantly from the actually measured discharge curve, the resulting area under the curve is large and a IP-session or phone calls is ongoing over the BP an alarm is triggred.
- In a possible embodiment of the mobile terminal the correlation engine is configured to provide a user setting allowing the configuration of the sensitivity of the alarm and attack countermeasure routines, so the user is not overwhelmed by false alarms.
In a possible embodiment of the mobile terminal wherein in case of the alarm the BP is reset, the mobile device is reset or all connections are forced to be dropped. - Another aspect of the invention is a mobile device, that implements the above mentioned aspects. The Mobile device configured to detect an attack on a baseband processor comprising a baseband processor and an application processor, which may or may not be integrated in a single chip, comprising :
- a) baseband monitor component configured to monitor the behavior of the baseband processor by using features available on the respective mobile device.
- b) application monitor component configured to monitor the behavior of the application processor by keeping a record of the parameters, execution time or execution duration of legitimate software or user activities on the application processor that cause normal baseband activities as intended by the user;
- c) evaluator component configured to correlate the baseband processor behavior with application processor behavior in order to distinguish between legitimate and suspicious/illegitimate baseband activities,
- d) defense component configured to initiate component of countermeasures designed to ward off the suspicious/illegitimate baseband activities.
- It has to be noted, that the components mentioned above can be software or hardware, in case of software they run on the application processors or on the baseband processor or partially on both.
Also the applications can run on the BP or AP, or partially on the AP or BP, can be implemented in hardware or software or a combination thereof. - The invention consists in a possible configuration of the following components:
- One component is a Baseband-Monitor that observes the behavior of the baseband. It uses all means available to determine the current behavior of the Baseband Processor (BP). The Baseband-Monitor is an application which preferable runs as application on the application processor (AP). It is also possible that parts of the Baseband-Monitor runs as application on the BP. Baseband-Monitor in the preferred embodiment uses the interfaces and functions the of the BP, which are provide by in the standard configuration. The information and the interfaces available differs depending on capabilities of the baseband processor and interfaces made available on a specific phone model/mobile terminal and includes but is not limited to:
- 1. Information from the baseband CPU about opening and closing of transmission channels to and from a base station
- 2. Information from the baseband CPU about protocol transmissions to and from the base station
- 3. Information from the baseband CPU about the volume of data transmission
Further the Baseband-Monitor - 4. Monitors and records the power consumption of phone components (as available)
- 5. Records the current and voltage delivered by the battery to the phone.
- 6. Monitors the audio path configuration (e.g. which component is using the microphone)
- 7. Measures response times to normal service requests from application CPU(AP) to baseband CPU (BP)
- Using these data points the Baseband-Monitor provides a rich set of information on the current activities of the baseband. The level of detail depends on the availability of data sources in the specific phone model. Not all data sources are usually available on all phone models.
- The other component of the invention in the possible configuration of two components is a monitoring and alerting component that observes the parameters, time and duration of legitimate software and user activities on the application CPU that cause normal Baseband activities intended by the user. Under normal circumstances, most Baseband activities with some known exceptions are correlated with user interaction, like making a call or loading a web page, or known-to-be-good automated application activity, like checking e-mail. Application use of baseband ressources is monitored on the AP by various means like hooking or replacing the respective "provider" functions in the operating system that manage the communication with the baseband. This analyses can also be performed by checking the network traffic for example by sniffing the ports and the IP-packages, or by using proxies which are located between the applications and the baseband. Also the communication between the AP and BP can be monitored by reading the shared memory which is normally used for an information exchange between the two units. Also the activity for example the processor using of the applications can be monitored to detect if the application is very active or suspended. So the information of the process scheduler in the operating system can provide information. Also the event table of the operating system can be check and verified. In the event table the applications running on the AP give a feedback of the actions and errors and warnings. Also a monitoring on the AP can be given by tracking the use of a user interface like a keyboard or a touch screen. For example if a SMS has been send by an application without a detection of a user input a security problem can be given. The same situation can be determined if the mobile terminal is in a standby mode and a SMS is sent or phone call is performed. The monitoring application on the AP collects this information and stores the information over a defined time period in a database. The storing and collecting of the information is done in defined time intervals or driven by events like interrupts. Each collected information has in a possible implementation a time stamp which allows finding a time correlation. Furthermore the information can be categorized which allows the implementation of general concepts and rules on the categories.
- The mechanism then correlates the data from the Baseband monitoring (described above) and the data from the application CPU monitoring to distinguish between legitimate and suspicious Baseband activities. Suspicious are activities that cause transmissions or resource consumption on the Baseband but are not correlated to legitimate user activities.
One very simple example is that if the Baseband is detected by the monitoring component to have an active call ongoing while no phone call is made or accepted by the telephony software, very likely this is the result of an attack. - The correlation engine of the invention builds a pattern of "normality" that is then matched against the currently present data by mathematical correlation methods, including but not limited to neural networks and statistical deviation analysis etc. A simple example is the analysis of the battery discharge curve while taking into account the power usage of applications and sensors as provided by the operating system or seperate readout of power consumption data from respective phone sensors. If the actual discharge curve deviates from the expected precalculated discharge curve, malicious baseband activitiy is suspected. These statistical concepts are well known so that a further discussion can be omitted. Also logical dependencies can be expressed by definable expression, using conditional expression and logical conjunctions etc.. The detection of ongoing suspicious baseband activity can rely on one or a combination of data sources on Baseband and application CPU. Specific user usage patterns are taken into account by an adaption mechanism built into the correlation engine. A user setting is provided to allow for a configuration of the sensitivity of the alarm and attack countermeasure routines, so the user is not overwhelmed by false alarms.
- In the most simple case when very little data is available to the Baseband Monitor, the battery current and voltage measurement is used to check for a deviation from the expected power consumption. An ongoing attack that would e.g. use the baseband to transmit room audio to the attacker by means of a surreptitious call or periodic data transmissions would cause a deviation between power consumption actually measured at the battery and the expected consumption computed from the phones power profile.
- When suspicious activity is detected in the form of deviation between expected and actual power use, open channels to the base station, data transmission, audio circuit configuration, response times etc. countermeasures can be taken for instance but not limited to resetting the baseband, resetting the phone, forcing all connections to be dropped and / or alerting the phones user.
- The Figures show examples of possible implementations but do not intend to limit the application on these embodiments. Consequently the scope of protection has to be determined by the broadest interpretation of the claims.
-
Fig. 1 shows a structure of components and their connection; -
Fig. 2 shows the flow diagram of the method AP monitor application; -
Fig. 3 shows the flow diagram of the method BP monitor application; -
Fig. 4 shows the flow diagram of the method correlation engine; -
-
Fig. 1 disclosss a structure of a mobile device with a BP running an operating system OS and with an AP running an OS. On the OS of the AP an application monitor application is running which implements the collection of information. Furthermore the baseband monitor application is running on the AP collecting information. The information are used by a correlation engine application which has access to the collected information. A memory controller MC is controlled by a firmware / program. The MC is connected to the memory and controls a memory that is logical divided into shared memory, AP memory and BP memory. The logical separation is provided by the memory controller and the firmware. The memory controller is connected to the BP and AP. -
Fig. 2 shows a flow diagram of the application monitor that collects specific data and stores the date in a database. The data can be collected cyclic or event driven.Fig.3 shows a flow diagram of the baseband monitor application that collects specific data and stores the date in a database. The data can be collected cyclic or event driven.Fig. 4 shows a flow diagram of the correlation that has access to the database and reads the information to find unsecure patterns by finding the unsecure correlation. In case of finding a unsecure correlation an alarm is triggered.
Claims (16)
- Method for detecting an attack on a baseband processor of a mobile device which comprises the baseband processor and an application processor, which may or may not be integrated in a single chip, comprising the steps:a) monitoring by a baseband monitor component the behavior of the baseband processor by using features available on the respective mobile device,b) monitoring by an application monitor component the behavior of the application processor by keeping a record of the parameters, execution time or execution duration of legitimate software or user activities on the application processor that cause normal baseband activities as intended by the user,c) correlating by an evaluator component the baseband processor behavior with application processor behavior in order to distinguish between legitimate and suspicious/illegitimate baseband activities,d) initiation by a defense component of countermeasures designed to ward off the suspicious/illegitimate baseband activities.
- The method according to claim 1, wherein the initiation of countermeasures designed to ward off the suspicious/illegitimate baseband activities comprises one or more of the following: resetting the baseband processor, resetting the phone, forcing all connections to be dropped.
- The method according to claim 1 or 2, wherein the monitoring by the baseband monitor comprises one or more of the following:- collecting information on power consumption of individual hardware components of the mobile device,- collecting information on audio path configuration,- collecting information on the response time to normal service requests from the application processor to the baseband processor;- monitoring of communication interfaces or memory areas shared between application processor and baseband processor for atypical communication patterns,- monitoring of communication interfaces and memory areas shared between application processor and baseband for patterns associated with exploit attempts,- collecting information obtained from the baseband processor's debugging output and preferably wherein the monitoring of communication interfaces or memory areas shared between application processor and baseband for patterns associated with exploit attempts, comprises one or more of the following:- Monitoring malformated messages or data structures or very large data blocks;- Monitoring the usage of procedures, functions, features or messages not seen in normal operations;- Monitoring attempts to access memory areas not consistent with normal operations.and preferably wherein the collecting of information obtained from the baseband processor's debugging output comprises one or more of the following:timing and volume of voice call setup,timing and volume of data transmission,timing and volume of SMS message transmission,timing and sequence of establishment of traffic channels.
- Method according to any of the claims 1 to 3, wherein the evaluator component flags the absence of standard A5/1, A5/2, or A5/3 link encryption on GSM or 3G/UMTS/W-CDMA mobile networks which leads the defense component to issue a warning to the mobile device's user that link encryption has been deactivated.
- Method according to any of the claims 1 to 4, wherein the evaluator component flags the presence of a rogue base station that does not belong to the legitimate mobile network and the defense component warning the mobile device's user that a rogue base station (a so-called "IMSI catcher") has been detected and/or the defense component shutting down the baseband processor in order to prevent exploitation,
and preferably wherein the evaluator component flags the presence of a rogue base station that does not belong to the legitimate mobile network using one or more of the following information:- cell identification, distance, and signal strength,- signal growth/attenuation,- forced network change from 3G to 2G network,- unusual changes in the list of neighboring cells,- unusual configuration parameters of the mobile base -station designed to make it appear more 'attractive' to the targeted mobile device(s),- network parameters not consistent with the mobile device's location and/or the currently selected mobile network operator - Method according to any of the claims 1 to 5, wherein the evaluator component categorizes activities on the baseband processor in different classes ranging from normal/inconspicious to highly suspicious,
and preferably wherein the evaluator is plotting all the events in a diagram that shows baseband activity and suspectedness of baseband activities over time and that is displayed on either the mobile device's screen or an external display device,
and preferably, wherein the evaluator component compiles the information on suspectedness of baseband activities over time in one single integrated graphical representation of the overall threat level in respect to the mobile device's baseband processor or in the form of a 'threat level thermometer' that is displayed on either the mobile device's screen or an external display device. - Method according to any of the claims 1 to 6, wherein the evaluator component records baseband activity in a log file that can subsequently be read and combined with log files from other mobile devices by the reporter component in order to arrive at an overview of the aggregated threat level to which multiple mobile devices are subject to.
- Method according to any of the claims 1 to 7, wherein the evaluator component transmits data on baseband activity and network parameters to a remote reporter entity which performs additional location-based analytics to determine the locations of hostile networks.
and preferably wherein the reporter remote analytics entity sends out warnings and configuration changes to mobile devices in respect to detected hostile network activity.
and preferably wherein the reporter remote analytics entity sends out warnings about hostile network activity to dedicated connected devices which are mounted as stationary sensors in sensitive areas for the primary purpose of informing users who do not have the baseband monitor component installed on their mobile devices about ongoing suspicious/illegitimate activities. - Mobile device configured to detect an attack on a baseband processor comprising a baseband processor and an application processor, which may or may not be integrated in a single chip, comprising :a) baseband monitor component configured to monitor the behavior of the baseband processor by using features available on the respective mobile device,b) application monitor component configured to monitor the behavior of the application processor by keeping a record of the parameters, execution time or execution duration of legitimate software or user activities on the application processor that cause normal baseband activities as intended by the user;c) evaluator component configured to correlate the baseband processor behavior with application processor behavior in order to distinguish between legitimate and suspicious/illegitimate baseband activities,d) defense component configured to initiate component of countermeasures designed to ward off the suspicious/illegitimate baseband activities.
- Mobile device according to claim 9, wherein the defense component is configured to initiate countermeasures designed to ward off the suspicious/legitimate baseband activities comprises one or more of the following: resetting the baseband processor, resetting the phone, forcing all connections to be dropped.
- Mobile device according to claim 9 or 10, wherein the baseband monitor component is configured to implement one or more of the following:- collecting information on power consumption of individual hardware components of the mobile device,- collecting information on audio path configuration,- collecting information on the response time to normal service requests from the application processor to the baseband processor;- monitoring of communication interfaces or memory areas shared between application processor and baseband processor for atypical communication patterns,- monitoring of communication interfaces and memory areas shared between application processor and baseband for patterns associated with exploit attempts,- collecting information obtained from the baseband processor's debugging output; and preferably wherein the monitoring of communication interfaces or memory areas shared between application processor and baseband for patterns associated with exploit attempts, comprises one or more of the following:- Monitoring malformated messages or data structures or very large data blocks;- Monitoring the usage of procedures, functions, features or messages not seen in normal operations;- Monitoring attempts to access memory areas not consistent with normal operations;and preferably wherein the collecting of information obtained from the baseband processor's debugging output comprises one or more of the following:timing and volume of voice call setup,timing and volume of data transmission,timing and volume of SMS message transmission,timing and sequence of establishment of traffic channels.
- Mobile device according to any of the claims 9 to 11, wherein the evaluator component is configured to flag the absence of standard A5/1, A5/2, or A5/3 link encryption on GSM or 3G/UMTS/W-CDMA mobile networks which leads the defense component to issue a warning to the mobile device's user that link encryption has been deactivated.
- Mobile device according to any of the claims 9 to 12, wherein the evaluator component is configured to flag the presence of a rogue base station that does not belong to the legitimate mobile network and the defense component warning the mobile device's user that a rogue base station (a so-called "IMSI catcher") has been detected and/or the defense component shutting down the baseband processor in order to prevent exploitation;
and preferably wherein the evaluator component is configured to flag the presence of a rogue base station that does not belong to the legitimate mobile network using one or more of the following information:- cell identification, distance, and signal strength,- signal growth/attenuation,- forced network change from 3G to 2G network,- unusual changes in the list of neighboring cells,- unusual configuration parameters of the mobile base -station designed to make it appear more 'attractive' to the targeted mobile device(s),- network parameters not consistent with the mobile device's location and/or the currently selected mobile network operator - Mobile device according to any of the claims 9 to 13, wherein the evaluator component is configured to categorizes activities on the baseband processor in different classes ranging from normal/inconspicious to highly suspicious,
and preferably wherein the evaluator is configured to plot all the events in a diagram that shows baseband activity and suspectedness of baseband activities over time and that is displayed on either the mobile device's screen or an external display device.
and preferably wherein the evaluator component is configured to compile the information on suspectedness of baseband activities over time in one single integrated graphical representation of the overall threat level in respect to the mobile device's baseband processor or in the form of a 'threat level thermometer' that is displayed on either the mobile device's screen or an external display device. - Mobile device according to any of the claims 9 to 14, wherein the evaluator component is configured to record baseband activity in a log file that can subsequently be read and combined with log files from other mobile devices by the reporter component in order to arrive at an overview of the aggregated threat level to which multiple mobile devices are subject to.
- Mobile device according to any of the claims 9 to 15, wherein the evaluator component is configured to transmit data on baseband activity and network parameters to a remote reporter entity which performs additional location-based analytics to determine the locations of hostile networks.
and preferably wherein the reporter remote analytics entity is configured to send out warnings and configuration changes to mobile devices in respect to detected hostile network activity.
and preferably wherein the reporter remote analytics entity is configured to send out warnings about hostile network activity to dedicated connected devices which are mounted as stationary sensors in sensitive areas for the primary purpose of informing users who do not have the baseband monitor component installed on their mobile devices about ongoing suspicious/illegitimate activities.
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201261666742P | 2012-06-29 | 2012-06-29 |
Publications (2)
Publication Number | Publication Date |
---|---|
EP2680182A1 true EP2680182A1 (en) | 2014-01-01 |
EP2680182B1 EP2680182B1 (en) | 2016-03-16 |
Family
ID=48325465
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP13167024.2A Active EP2680182B1 (en) | 2012-06-29 | 2013-05-08 | Mobile device and method to monitor a baseband processor in relation to the actions on an application processor |
Country Status (1)
Country | Link |
---|---|
EP (1) | EP2680182B1 (en) |
Cited By (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9152787B2 (en) | 2012-05-14 | 2015-10-06 | Qualcomm Incorporated | Adaptive observation of behavioral features on a heterogeneous platform |
US9298494B2 (en) | 2012-05-14 | 2016-03-29 | Qualcomm Incorporated | Collaborative learning for efficient behavioral analysis in networked mobile device |
US9319897B2 (en) | 2012-08-15 | 2016-04-19 | Qualcomm Incorporated | Secure behavior analysis over trusted execution environment |
US9324034B2 (en) | 2012-05-14 | 2016-04-26 | Qualcomm Incorporated | On-device real-time behavior analyzer |
US9330257B2 (en) | 2012-08-15 | 2016-05-03 | Qualcomm Incorporated | Adaptive observation of behavioral features on a mobile device |
US9491187B2 (en) | 2013-02-15 | 2016-11-08 | Qualcomm Incorporated | APIs for obtaining device-specific behavior classifier models from the cloud |
US9495537B2 (en) | 2012-08-15 | 2016-11-15 | Qualcomm Incorporated | Adaptive observation of behavioral features on a mobile device |
US9609456B2 (en) | 2012-05-14 | 2017-03-28 | Qualcomm Incorporated | Methods, devices, and systems for communicating behavioral analysis information |
US9686023B2 (en) | 2013-01-02 | 2017-06-20 | Qualcomm Incorporated | Methods and systems of dynamically generating and using device-specific and device-state-specific classifier models for the efficient classification of mobile device behaviors |
US9684870B2 (en) | 2013-01-02 | 2017-06-20 | Qualcomm Incorporated | Methods and systems of using boosted decision stumps and joint feature selection and culling algorithms for the efficient classification of mobile device behaviors |
US9690635B2 (en) | 2012-05-14 | 2017-06-27 | Qualcomm Incorporated | Communicating behavior information in a mobile computing device |
US9742559B2 (en) | 2013-01-22 | 2017-08-22 | Qualcomm Incorporated | Inter-module authentication for securing application execution integrity within a computing device |
US9747440B2 (en) | 2012-08-15 | 2017-08-29 | Qualcomm Incorporated | On-line behavioral analysis engine in mobile device with multiple analyzer model providers |
US10089582B2 (en) | 2013-01-02 | 2018-10-02 | Qualcomm Incorporated | Using normalized confidence values for classifying mobile device behaviors |
US10149343B2 (en) | 2015-05-11 | 2018-12-04 | Apple Inc. | Use of baseband triggers to coalesce application data activity |
EP3687120A1 (en) * | 2019-01-25 | 2020-07-29 | Usecrypt S.A. | Mobile communication device and method of determining security status thereof |
CN112640571A (en) * | 2018-08-23 | 2021-04-09 | 约翰·梅扎林瓜联合有限公司 | System and method for creating and managing private sub-networks of LTE base stations |
US11144079B2 (en) | 2013-02-11 | 2021-10-12 | Graco Minnesota Inc. | Remote monitoring for fluid applicator system |
US11228910B2 (en) | 2019-01-25 | 2022-01-18 | V440 Spó£Ka Akcyjna | Mobile communication device and method of determining security status thereof |
US11934211B2 (en) | 2023-04-07 | 2024-03-19 | Graco Minnesota Inc. | Paint sprayer distributed control and output volume monitoring architectures |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102006016994A1 (en) * | 2006-04-11 | 2007-10-18 | Giesecke & Devrient Gmbh | Recording the resource consumption |
US20090260081A1 (en) * | 2008-04-14 | 2009-10-15 | Tecsys Development, Inc. | System and Method for Monitoring and Securing a Baseboard Management Controller |
US20100121916A1 (en) * | 2008-11-12 | 2010-05-13 | Lin Yeejang James | Method for adaptively building a baseline behavior model |
US20100251370A1 (en) * | 2009-03-26 | 2010-09-30 | Inventec Corporation | Network intrusion detection system |
US20120096539A1 (en) * | 2006-11-27 | 2012-04-19 | Juniper Networks, Inc. | Wireless intrusion prevention system and method |
-
2013
- 2013-05-08 EP EP13167024.2A patent/EP2680182B1/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102006016994A1 (en) * | 2006-04-11 | 2007-10-18 | Giesecke & Devrient Gmbh | Recording the resource consumption |
US20120096539A1 (en) * | 2006-11-27 | 2012-04-19 | Juniper Networks, Inc. | Wireless intrusion prevention system and method |
US20090260081A1 (en) * | 2008-04-14 | 2009-10-15 | Tecsys Development, Inc. | System and Method for Monitoring and Securing a Baseboard Management Controller |
US20100121916A1 (en) * | 2008-11-12 | 2010-05-13 | Lin Yeejang James | Method for adaptively building a baseline behavior model |
US20100251370A1 (en) * | 2009-03-26 | 2010-09-30 | Inventec Corporation | Network intrusion detection system |
Cited By (32)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9609456B2 (en) | 2012-05-14 | 2017-03-28 | Qualcomm Incorporated | Methods, devices, and systems for communicating behavioral analysis information |
US9189624B2 (en) | 2012-05-14 | 2015-11-17 | Qualcomm Incorporated | Adaptive observation of behavioral features on a heterogeneous platform |
US9202047B2 (en) | 2012-05-14 | 2015-12-01 | Qualcomm Incorporated | System, apparatus, and method for adaptive observation of mobile device behavior |
US9292685B2 (en) | 2012-05-14 | 2016-03-22 | Qualcomm Incorporated | Techniques for autonomic reverting to behavioral checkpoints |
US9298494B2 (en) | 2012-05-14 | 2016-03-29 | Qualcomm Incorporated | Collaborative learning for efficient behavioral analysis in networked mobile device |
US9898602B2 (en) | 2012-05-14 | 2018-02-20 | Qualcomm Incorporated | System, apparatus, and method for adaptive observation of mobile device behavior |
US9324034B2 (en) | 2012-05-14 | 2016-04-26 | Qualcomm Incorporated | On-device real-time behavior analyzer |
US9152787B2 (en) | 2012-05-14 | 2015-10-06 | Qualcomm Incorporated | Adaptive observation of behavioral features on a heterogeneous platform |
US9349001B2 (en) | 2012-05-14 | 2016-05-24 | Qualcomm Incorporated | Methods and systems for minimizing latency of behavioral analysis |
US9690635B2 (en) | 2012-05-14 | 2017-06-27 | Qualcomm Incorporated | Communicating behavior information in a mobile computing device |
US9747440B2 (en) | 2012-08-15 | 2017-08-29 | Qualcomm Incorporated | On-line behavioral analysis engine in mobile device with multiple analyzer model providers |
US9495537B2 (en) | 2012-08-15 | 2016-11-15 | Qualcomm Incorporated | Adaptive observation of behavioral features on a mobile device |
US9330257B2 (en) | 2012-08-15 | 2016-05-03 | Qualcomm Incorporated | Adaptive observation of behavioral features on a mobile device |
US9319897B2 (en) | 2012-08-15 | 2016-04-19 | Qualcomm Incorporated | Secure behavior analysis over trusted execution environment |
US10089582B2 (en) | 2013-01-02 | 2018-10-02 | Qualcomm Incorporated | Using normalized confidence values for classifying mobile device behaviors |
US9686023B2 (en) | 2013-01-02 | 2017-06-20 | Qualcomm Incorporated | Methods and systems of dynamically generating and using device-specific and device-state-specific classifier models for the efficient classification of mobile device behaviors |
US9684870B2 (en) | 2013-01-02 | 2017-06-20 | Qualcomm Incorporated | Methods and systems of using boosted decision stumps and joint feature selection and culling algorithms for the efficient classification of mobile device behaviors |
US9742559B2 (en) | 2013-01-22 | 2017-08-22 | Qualcomm Incorporated | Inter-module authentication for securing application execution integrity within a computing device |
US11592850B2 (en) | 2013-02-11 | 2023-02-28 | Graco Minnesota Inc. | Remote monitoring for fluid applicator system |
US11372432B2 (en) | 2013-02-11 | 2022-06-28 | Graco Minnesota Inc. | Remote monitoring for fluid applicator system |
US11698650B2 (en) | 2013-02-11 | 2023-07-11 | Graco Minnesota Inc. | Remote monitoring for fluid applicator system |
US11630470B2 (en) | 2013-02-11 | 2023-04-18 | Graco Inc. | Remote monitoring for fluid applicator system |
US11144079B2 (en) | 2013-02-11 | 2021-10-12 | Graco Minnesota Inc. | Remote monitoring for fluid applicator system |
US11249498B2 (en) | 2013-02-11 | 2022-02-15 | Graco Minnesota Inc. | Remote monitoring for fluid applicator system |
US9491187B2 (en) | 2013-02-15 | 2016-11-08 | Qualcomm Incorporated | APIs for obtaining device-specific behavior classifier models from the cloud |
US10149343B2 (en) | 2015-05-11 | 2018-12-04 | Apple Inc. | Use of baseband triggers to coalesce application data activity |
CN112640571A (en) * | 2018-08-23 | 2021-04-09 | 约翰·梅扎林瓜联合有限公司 | System and method for creating and managing private sub-networks of LTE base stations |
US11228910B2 (en) | 2019-01-25 | 2022-01-18 | V440 Spó£Ka Akcyjna | Mobile communication device and method of determining security status thereof |
EP3687120A1 (en) * | 2019-01-25 | 2020-07-29 | Usecrypt S.A. | Mobile communication device and method of determining security status thereof |
US11934210B2 (en) | 2022-07-08 | 2024-03-19 | Graco Minnesota Inc. | Paint sprayer distributed control and output volume monitoring architectures |
US11934211B2 (en) | 2023-04-07 | 2024-03-19 | Graco Minnesota Inc. | Paint sprayer distributed control and output volume monitoring architectures |
US11934212B2 (en) | 2023-04-07 | 2024-03-19 | Graco Minnesota Inc. | Paint sprayer distributed control and output volume monitoring architectures |
Also Published As
Publication number | Publication date |
---|---|
EP2680182B1 (en) | 2016-03-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9191823B2 (en) | Mobile device and method to monitor a baseband processor in relation to the actions on an applicaton processor | |
EP2680182B1 (en) | Mobile device and method to monitor a baseband processor in relation to the actions on an application processor | |
EP3375159B1 (en) | Dynamic honeypot system | |
EP3681120B1 (en) | Method and device for accessing device identifiers | |
US20130055387A1 (en) | Apparatus and method for providing security information on background process | |
US20120222120A1 (en) | Malware detection method and mobile terminal realizing the same | |
EP2562673B1 (en) | Apparatus and method for securing mobile terminal | |
US20130254880A1 (en) | System and method for crowdsourcing of mobile application reputations | |
EP3343968B1 (en) | Monitoring apparatus, device monitoring system and method of monitoring a plurality of networked devices | |
CN104462970A (en) | Android application program permission abuse detecting method based on process communication | |
CN105263142A (en) | Method and device for identifying pseudo base station | |
CN102082802A (en) | Behavior-based mobile terminal security protection system and method | |
CN110149599B (en) | Short message protection method and terminal equipment | |
CN101257678A (en) | Method, terminal and system for realizing mobile terminal software safe detection | |
CN110622539A (en) | Detecting a fake cell tower | |
KR20120136126A (en) | Method and apparatus for treating malicious action in mobile terminal | |
US8923815B1 (en) | Method for detecting changes in security level in mobile networks | |
CN106709282B (en) | resource file decryption method and device | |
CN102509054A (en) | Mobile terminal and application program control method for mobile terminal | |
CN105550584A (en) | RBAC based malicious program interception and processing method in Android platform | |
CN105069374A (en) | Private data intercepting protection method and system | |
CN110502926A (en) | Privacy closes rule detection method and device | |
US8391838B2 (en) | Secure mobile communication system and method | |
CN102572814B (en) | A kind of mobile terminal virus monitor method, system and device | |
KR101284013B1 (en) | Smartphone Malicious Application Detect System and Method based on Client Program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20131107 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
17Q | First examination report despatched |
Effective date: 20150205 |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
INTG | Intention to grant announced |
Effective date: 20151123 |
|
GRAS | Grant fee paid |
Free format text: ORIGINAL CODE: EPIDOSNIGR3 |
|
GRAA | (expected) grant |
Free format text: ORIGINAL CODE: 0009210 |
|
INTG | Intention to grant announced |
Effective date: 20160115 |
|
AK | Designated contracting states |
Kind code of ref document: B1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: EP |
|
REG | Reference to a national code |
Ref country code: IE Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: AT Ref legal event code: REF Ref document number: 781793 Country of ref document: AT Kind code of ref document: T Effective date: 20160415 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R096 Ref document number: 602013005471 Country of ref document: DE |
|
REG | Reference to a national code |
Ref country code: SE Ref legal event code: TRGR |
|
REG | Reference to a national code |
Ref country code: FR Ref legal event code: PLFP Year of fee payment: 4 |
|
REG | Reference to a national code |
Ref country code: NO Ref legal event code: T2 Effective date: 20160316 |
|
REG | Reference to a national code |
Ref country code: NL Ref legal event code: FP |
|
REG | Reference to a national code |
Ref country code: LT Ref legal event code: MG4D |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: GR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160617 Ref country code: HR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160316 |
|
REG | Reference to a national code |
Ref country code: AT Ref legal event code: MK05 Ref document number: 781793 Country of ref document: AT Kind code of ref document: T Effective date: 20160316 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LV Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160316 Ref country code: RS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160316 Ref country code: BE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20160531 Ref country code: LT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160316 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: IS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160716 Ref country code: PL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160316 Ref country code: EE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160316 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: CZ Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160316 Ref country code: AT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160316 Ref country code: RO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160316 Ref country code: ES Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160316 Ref country code: PT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160718 Ref country code: SK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160316 Ref country code: SM Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160316 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R097 Ref document number: 602013005471 Country of ref document: DE |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LU Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160508 Ref country code: BE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160316 Ref country code: IT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160316 |
|
PLBE | No opposition filed within time limit |
Free format text: ORIGINAL CODE: 0009261 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: DK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160316 |
|
26N | No opposition filed |
Effective date: 20161219 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: BG Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160616 |
|
REG | Reference to a national code |
Ref country code: FR Ref legal event code: PLFP Year of fee payment: 5 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: SI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160316 |
|
REG | Reference to a national code |
Ref country code: FR Ref legal event code: PLFP Year of fee payment: 6 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: CY Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160316 Ref country code: HU Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO Effective date: 20130508 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: MT Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20160531 Ref country code: MC Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160316 Ref country code: TR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160316 Ref country code: MK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160316 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: AL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20160316 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: NO Payment date: 20230519 Year of fee payment: 11 Ref country code: NL Payment date: 20230519 Year of fee payment: 11 Ref country code: IE Payment date: 20230516 Year of fee payment: 11 Ref country code: FR Payment date: 20230502 Year of fee payment: 11 Ref country code: DE Payment date: 20230531 Year of fee payment: 11 Ref country code: CH Payment date: 20230605 Year of fee payment: 11 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: SE Payment date: 20230522 Year of fee payment: 11 Ref country code: FI Payment date: 20230523 Year of fee payment: 11 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: GB Payment date: 20230502 Year of fee payment: 11 |